V8.02.512.2025.05.30

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/includes.chroot/etc/ssh/sshd_config

@@ -0,0 +1,134 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Version Master V8.02.512.2025.05.30
+
+### https://www.ssh-audit.com/
+### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
+
+Include                      /etc/ssh/sshd_config.d/*.conf
+
+Protocol                     2
+
+Banner                       /etc/banner
+DebianBanner                 no
+VersionAddendum              none
+
+Compression                  no
+LogLevel                     VERBOSE
+
+AddressFamily                any
+ListenAddress                0.0.0.0
+ListenAddress                ::
+Port MUST_BE_CHANGED
+AllowUsers                   root
+UseDNS                       no
+### Force a key exchange after transferring 1 GiB of data or 1 hour of session time,
+### whichever occurs first.
+RekeyLimit                   1G 1h
+
+HostKey                      /etc/ssh/ssh_host_ed25519_key
+HostKey                      /etc/ssh/ssh_host_rsa_key
+
+PubkeyAuthentication         yes
+PermitRootLogin              prohibit-password
+PasswordAuthentication       no
+PermitEmptyPasswords         no
+StrictModes                  yes
+LoginGraceTime               2m
+MaxAuthTries                 3
+MaxSessions                  2
+### Begin randomly dropping new unauthenticated connections after the 8th attempt,
+### with a 64% chance to drop each additional connection, up to a hard limit of 16.
+MaxStartups                  08:64:16
+### Restrict each individual source IP to only 4 unauthenticated connection slot
+### in the concurrent MaxStartups pool, preventing one IP from monopolizing slots.
+PerSourceMaxStartups         4
+ClientAliveInterval          300
+ClientAliveCountMax          2
+
+AuthorizedKeysFile           %h/.ssh/authorized_keys
+
+AllowAgentForwarding         no
+AllowTcpForwarding           no
+X11Forwarding                no
+GatewayPorts                 no
+
+### A+ Rating 100/100
+RequiredRSASize              4096
+Ciphers                      aes256-gcm@openssh.com
+KexAlgorithms                sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512,gss-curve25519-sha256-
+HostKeyAlgorithms            sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
+MACs                         hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+CASignatureAlgorithms        rsa-sha2-512,rsa-sha2-256,ssh-ed25519,sk-ssh-ed25519@openssh.com
+GSSAPIKexAlgorithms          gss-curve25519-sha256-,gss-group16-sha512-
+HostbasedAcceptedAlgorithms  sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
+PubkeyAcceptedAlgorithms     sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
+
+### Change to yes to enable challenge-response passwords (beware issues with some PAM modules and threads)
+KbdInteractiveAuthentication no
+
+### Set this to 'yes' to enable PAM authentication, account processing,
+### and session processing. If this is enabled, PAM authentication will
+### be allowed through the ChallengeResponseAuthentication and
+### PasswordAuthentication.  Depending on your PAM configuration,
+### PAM authentication via ChallengeResponseAuthentication may bypass
+### the setting of "PermitRootLogin without-password".
+### If you just want the PAM account and session checks to run without
+### PAM authentication, then enable this but set PasswordAuthentication
+### and ChallengeResponseAuthentication to 'no'.
+UsePAM                       yes
+
+### Allow client to pass locale environment variables
+AcceptEnv                    LANG LC_*
+
+### override default of no subsystems
+Subsystem                    sftp /usr/lib/openssh/sftp-server
+
+PidFile                      /var/run/sshd.pid
+PrintMotd                    no
+PrintLastLog                 yes
+TCPKeepAlive                 no
+
+### For this to work you will also need host keys in /etc/ssh/ssh_known_hosts!
+### Change to yes if you don't trust ~/.ssh/known_hosts for HostbasedAuthentication!
+HostbasedAuthentication      no
+
+### Don't read the user's ~/.rhosts and ~/.shosts files
+# IgnoreRhosts               yes
+
+# UsePrivilegeSeparation     yes
+
+### Kerberos options
+# KerberosAuthentication     no
+# KerberosOrLocalPasswd      yes
+# KerberosTicketCleanup      yes
+# KerberosGetAFSToken        no
+
+### GSSAPI options
+# GSSAPIAuthentication       no
+# GSSAPICleanupCredentials   yes
+# GSSAPIStrictAcceptorCheck  yes
+# GSSAPIKeyExchange          no
+
+# AuthorizedPrincipalsFile   none
+# AuthorizedKeysCommand      none
+# AuthorizedKeysCommandUser  nobody
+
+# PermitTunnel               no
+# ChrootDirectory            none
+# X11DisplayOffset           10
+# X11UseLocalhost            yes
+# PermitTTY                  yes
+# PermitUserEnvironment      no
+# IgnoreUserKnownHosts       no
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf